CA AuthMinder Java Developer's Guide › Authenticating Users › ArcotID PKI Authentication

ArcotID PKI Authentication

ArcotID PKI is a challenge-response type of authentication, where AuthMinder Server provides a challenge. The signed challenge is sent by the ArcotID PKI Client to the AuthMinder Server through the application. The following topics are explained in this section:

1. ArcotID PKI Download
2. ArcotID PKI Authentication

For successful ArcotID PKI authentication, you must ensure that you have integrated ArcotID PKI Client with application, as discussed in chapter, "Integrating ArcotID PKI Client with Application".

Note: The ArcotID PKI download and authentication can be in multiple ways, see chapter, "Understanding AuthMinder WorkFlows" for more information. This section focuses on the APIs that are used for these operations.

ArcotID PKI Download

To perform ArcotID PKI authentication, the ArcotID PKI of the user has to be present on the system from where the authentication request is originating. If the ArcotID PKI is not present, then it needs to be downloaded to the system. In such a case the user must perform a secondary authentication before the ArcotID PKI is downloaded.

To download the ArcotID PKI:

1. (Optional) If you are implementing a plug-in, then invoke the setAdditionalInput() method in the AdditionalInput class to obtain an object that implements the class.

   See "Preparing Additional Input" for more information.

2. Invoke the getArcotID() method of the ArcotIDAuth interface to fetch the ArcotID PKI of the user to your application.

   This method returns an instance of the ArcotIDResponse interface, which will have the ArcotID PKI of the user.

3. The user’s ArcotID PKI is set in the HTML or Java Server Page (JSP).
4. Invoke the ImportArcotID() client-side API to download the ArcotID PKI from your application to the end user’s system.

ArcotID PKI Authentication

To perform ArcotID PKI authentication:

1. (Optional) If you are implementing a plug-in, then invoke the setAdditionalInput() method in the AdditionalInput class to obtain an object that implements the class.

   See "Preparing Additional Input" for more information.

2. Invoke the getChallenge() method of the ArcotIDAuth interface to retrieve the challenge form the AuthMinder Server.

   This method returns an instance of the ArcotIDChallengeResponse, which has the transaction details and also the challenge from the server.

3. The challenge is sent to the end user through HTML Page.
4. Invoke the ArcotID PKI Client-side method, SignChallengeEx() to sign the challenge.

   The application collects the ArcotID PKI password and the challenge is signed by the ArcotID PKI Client using the ArcotID PKI password.

5. Invoke the verifySignedChallenge() method of the ArcotIDAuth interface to verify the signed challenge. Optionally, you can also specify the token type that must be returned to the user after successful authentication by using the AuthTokenType class.

   This method returns an instance of the AuthResponse interface, which provides the transaction details, credential details, and token information.